By taking a continuous compliance approach based on automated assessments against compliance and security rules expressed as code, Chef Automate makes it possible to have audit results available at any time. Detect noncompliance, identify and prioritize issues, then quickly apply remediation across your entire fleet, saving time, redeploying engineering resources, and reducing risks associated with traditionally manual compliance inspections.

Now you can enter an audit cycle knowing your exact compliance posture, rather than being surprised by auditors’ findings. What’s more, Chef Automate helps you demonstrate how your compliance posture has evolved and improved over time, giving auditors the confidence they need to make an accurate assessment.

Whitepaper

The Chef Automate Guide to PCI DSS Compliance

The Chef Automate Guide to FFIEC Compliance

Manual audit processes are inherently imperfect and risky

Most organizations are subject to the rules of an ever-increasing number of regulatory regimes, while dealing with rapidly escalating endpoints and environments to test. No matter how much time and resources you apply to an audit cycle, manual processes can’t keep up with cloud scale and growing complexity, and represent unacceptable risk. Nevertheless, industry data, like Verizon’s 2017 Payment Security Report, show that many companies subject to compliance regimes like PCI-DSS are still relying upon manual approaches.

For example, PCI Key Requirement 11, which scores companies on whether they are testing their security controls, is the most-failed requirement, with nearly a third of companies noncompliant with this rule. Lack of ongoing compliance validation is a major contributing factor to the relatively low level of PCI compliance worldwide, with only 55% of companies subject to PCI passing their first audit.

Manual audit processes destroy organizational efficiency

Existing compliance processes involving manual inspection of environments during your audit cycle are not only slow, they divert valuable engineering resources. The lack of automation results in a constant stream of one-off requests that take precedence over product development. These disruptive escalations, and the resulting context switching, are both inefficient and difficult to manage.

More troublesome than the chaos associated with manual compliance activities is the negative impact on engineering throughput. While one-off or manual approaches ultimately deliver auditors what they need, the quickly developed tools and scripts are often discarded and not reusable. Your developers and engineers devote critical time to output that is neither product oriented nor revenue generating.

Preparing for Audits With Inspec

Compliance Automation Reduces Risk While Helping You Move Fast

Automated audits of production environments are a good step towards improved compliance. But when you “shift compliance left” and ingrain compliance assurance within the development process as automated tests, you not only are reducing risk, but accelerate the entire software delivery process. Instead of relying solely on scanning approaches just prior to deploying to production, Chef Automate and InSpec can help you detect and correct compliance issues during development. This approach helps eliminate reams of data caused by redundancies and false positives, and helps prove to auditors your ability to enforce compliance policies by design.

The reams of data that need to be sifted through manually when utilizing scanning approaches before pushing into production simply adds to the inefficiencies, confusion and rework. Gathering data earlier in the process through testing — and in a continuous manner once in production — also helps you answer auditors’ questions later and instills confidence that you are secure and compliant throughout your product development lifecycle.

With InSpec, you have a real-time view of how you’re performing. When you come to that audit exam you already know if you’re passing or not. In fact, the event of the audit is a simple step of printing the output.